Safeguard
Tag

supply-chain

Safeguard articles tagged "supply-chain" — guides, analysis, and best practices for software supply chain and application security.

749 articles

Supply Chain

A Defender's Template for Package Registry Incident Communications, Built from the 2025-2026 Response Postmortems

The npm Shai-Hulud, PyPI credential-leak, and tj-actions response postmortems published through 2025-2026 reveal a common communication shape. Here is the template, the timing, and the policy that turns the template into a fast response.

May 14, 20267 min read
Supply Chain Attacks

Netlify Build Plugins as arbitrary code execution at build time in 2026

The @netlify/plugin-* ecosystem runs in your build with full filesystem and network access. Here is how to evaluate, allowlist, and gate it in 2026.

May 14, 20267 min read
Industry Insights

Nonprofit software supply chain risk in 2026

Donor CRMs, grant management platforms, and what the 2020 Blackbaud ransomware incident still teaches the nonprofit sector about resource-constrained software supply chain reality.

May 14, 20267 min read
Open Source

A practical framework for assessing single-maintainer project risk

Truck factor is the headline metric, but it is not enough. Here is a working framework for evaluating single-maintainer projects in your dependency tree without panicking or being naive.

May 14, 20268 min read
Supply Chain Attacks

Squid proxy memory corruption CVEs: a supply chain perspective

Squid's recurring memory-corruption CVEs in 2024 and 2025 are a reminder that transparent egress proxies sit on a critical path and rarely get the SBOM scrutiny their position deserves.

May 14, 20267 min read
DevSecOps

npm Trusted Publishing walkthrough: retiring long-lived publish tokens

npm Trusted Publishing replaces long-lived publish tokens with short-lived OIDC-issued credentials tied to a specific CI workflow. Here is the 2026 rollout state, what the migration actually looks like, and where the rough edges still are.

May 14, 20269 min read
Supply Chain Attacks

TanStack and the Mini Shai-Hulud npm Worm (May 2026): Anatomy of a CI-Native Supply Chain Attack

On 11-12 May 2026, the TeamPCP-linked Mini Shai-Hulud worm published 84 malicious artifacts across 42 TanStack npm packages in six minutes, then spread to 160+ packages by abusing GitHub Actions OIDC tokens and CI cache poisoning.

May 13, 202612 min read
Cloud Security

Vercel Edge Functions supply chain risks in 2026

Edge Functions, middleware, and Edge Config combine npm trust, build-step trust, and a secret surface that runs at every request. Here is the 2026 control set.

May 13, 20267 min read
Industry Insights

AgTech and food-tech software supply chain risk in 2026

Precision agriculture platforms, FSMA 204 traceability databases, and the John Deere right-to-repair debate as a software supply chain question rather than a property rights one.

May 13, 20267 min read
Open Source

Maintainer burnout is a supply-chain risk: lessons from xz-utils

The xz-utils backdoor was made possible because a single exhausted maintainer accepted help from a patient and well-resourced stranger. Sustaining critical maintainers is now a security problem, not just a moral one.

May 13, 20267 min read
Compliance

DHS/CISA Binding Operational Directives and supply chain cascade effects in 2026

BOD 22-01 (KEV) and BOD 23-02 (external attack surface) apply directly to federal civilian agencies, but their downstream contractual cascade into the software supply chain is now the more consequential effect.

May 13, 20268 min read
DevSecOps

npm provenance attestations walkthrough for 2026

npm provenance ties a published package to the specific GitHub Actions run that built it, signed through sigstore. Here is how to enable it for a publisher, verify it on the install side, and enforce it in CI without breaking your release process.

May 13, 20269 min read
supply-chain (Page 5) — Safeguard Blog